KR101768082B1 - Securing method for protecting the ransomware - Google Patents

Securing method for protecting the ransomware Download PDF

Info

Publication number
KR101768082B1
KR101768082B1 KR1020150176971A KR20150176971A KR101768082B1 KR 101768082 B1 KR101768082 B1 KR 101768082B1 KR 1020150176971 A KR1020150176971 A KR 1020150176971A KR 20150176971 A KR20150176971 A KR 20150176971A KR 101768082 B1 KR101768082 B1 KR 101768082B1
Authority
KR
South Korea
Prior art keywords
module
backup
file
follow
target file
Prior art date
Application number
KR1020150176971A
Other languages
Korean (ko)
Other versions
KR20170069584A (en
Inventor
배환국
이재필
Original Assignee
소프트캠프(주)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 소프트캠프(주) filed Critical 소프트캠프(주)
Priority to KR1020150176971A priority Critical patent/KR101768082B1/en
Publication of KR20170069584A publication Critical patent/KR20170069584A/en
Application granted granted Critical
Publication of KR101768082B1 publication Critical patent/KR101768082B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1458Management of the backup or restore process
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Quality & Reliability (AREA)
  • Virology (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a security method corresponding to a random software that protects a file from an RAN firmware that requires money or information while restricting access by a user by converting a stored file into a network-based computer and a mobile terminal without unauthorized access, A process of confirming a request function and a target file of the process from the OS; A backup step of comparing the request function with a designated function, and when the request function is confirmed as a designated function, backing up the target file and storing the backup file in the storage module; Wherein the checking module compares a backup amount of the backup module with a threshold value, and stops the process when the backup amount exceeds a threshold value; A query step of confirming an execution program and a target file of a process suspended by the follow-up process module in the checking module, and outputting a query window in which the execution program name and the target file name are started; And a process termination step of terminating the interrupted process or terminating both the process and the program when the follow-up process module receives an input signal for rejecting the process continuation.

Description

[0001] SECURING METHOD FOR PROTECTING THE RANSOMWARE [0002]

The present invention relates to a security method for protecting a file from an RAN firmware that requires money or information while restricting a user's access by converting a stored file into a network-based computer and a mobile terminal without permission.

Currently, data processing technologies of computers and mobile terminals (hereinafter referred to as "network terminals") and network technologies of the Internet and Ethernet (hereinafter referred to as "communication networks") have been developed.

[0006] However, among a large amount of information dealt with by a network terminal and a communication network, not only information desired by a user but also computer viruses, spyware, adware, etc. spread by a malicious attacker, And so on. These malicious codes can cause damage or loss of the network terminal, or cause the user to perform an undesired operation. Accordingly, efforts and techniques for continuously monitoring such malicious codes and blocking the operation of network terminals due to malicious codes are continuously performed and developed.

The conventional security apparatus stores a malicious code pattern in a DB in advance in order to detect malicious code operation, and if a pattern existing in the DB periodically or according to a command of a user exists in all files existing in a network terminal (including a server) Location (drive or directory, etc.). However, the conventional security device has a problem of wasting much time and resources as a method of randomly searching a large number of unspecified files currently stored in a network terminal. In addition, the conventional security device only determines whether malicious code is included in a file at the time of searching. As the technology for generating and activating the malicious code is developed, malicious code is not activated at a specific point in time or was not malicious code itself Technology has also been developed that initiates activity as a malicious code when certain data processing is performed or at a certain point in time.

On the other hand, among malicious codes, a file called "Ransomware" is developed which forcibly converts a file in a network terminal to make it impossible for a user to access, and requests money or information when a user attempts to access the file. Ransomware is known as a malicious malicious code in terms of providing financial or informational requirements, and even worse, malicious codes are the worst of malicious codes Code.

Therefore, in the past, development of a security device such as a vaccine program capable of protecting a user's file from Ransomware has been continuously performed.

However, since the Ransomware was easily upgraded, the security device was frequently updated, and the network terminal that did not update the security device was easily infected with Ransomware, causing serious damage.

As a result, it is urgently required to develop a security device that can prevent the activity of the portable devices and protect the data without updating the security device.

Prior Art Document 1. Patent Publication No. 10-2008-0010003 (published on January 30, 2008)

SUMMARY OF THE INVENTION The present invention has been made to solve the above-mentioned problems, and it is an object of the present invention to provide a method and system for protecting a file from unauthorized conversion of a storage file to a network terminal, And to provide a security method corresponding to the protection of the random software.

According to an aspect of the present invention,

A checking process of checking the request function and a target file of the process by the checking module;

A backup step of comparing the request function with a designated function, and when the request function is confirmed as a designated function, backing up the target file and storing the backup file in the storage module;

Wherein the checking module compares a backup amount of the backup module with a threshold value, and stops the process when the backup amount exceeds a threshold value;

A query step of confirming an execution program and a target file of a process suspended by the follow-up process module in the checking module, and outputting a query window in which the execution program name and the target file name are started; And

A process termination step of terminating the interrupted process or terminating both the process and the program when the follow-up process module receives an input signal for rejecting the process continuation;

Which is a security method corresponding to the Ransomware.

The present invention as described above confirms changes such as deletion, modification, modification, and name revision of a storage file, backs up a storage file as a target, interrupts the process temporarily, There is an effect that the file stored in the network terminal can be safely protected from the risk of the risk even if the security device of the network is not updated.

FIG. 1 is a block diagram showing an embodiment of a security device in which a security method according to the present invention is performed,
FIG. 2 is a flowchart sequentially showing an embodiment of a security method according to the present invention,
FIG. 3 is a view schematically showing an embodiment of a process of confirming a file change to a user through a query window in the security method according to the present invention, and FIG.
4 is a flowchart showing another embodiment of the security method according to the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The above and other features and advantages of the present invention will become more apparent from the following detailed description of the present invention when taken in conjunction with the accompanying drawings, It will be possible. The present invention is capable of various modifications and various forms, and specific embodiments are illustrated in the drawings and described in detail in the text. It should be understood, however, that the invention is not intended to be limited to the particular forms disclosed, but includes all modifications, equivalents, and alternatives falling within the spirit and scope of the invention. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

FIG. 1 is a block diagram illustrating an embodiment of a security apparatus according to the present invention. Referring to FIG.

The security device 10 according to the present invention is installed in a network terminal (CO) such as a personal computer (CO1, CO2) or a server (CO3), and transmits a malicious code .

The security device 10 of the present embodiment confirms the extension requested by the OS and the target file to the operating system 20 and notifies the extension of the extension file to the critical value A checking module (11) for stopping the process for the request function when the value exceeds the value; A backup module (12) for backing up the target file if the request function is a specified function in the OS (20) or if the target file is identified by at least one selected extension or designation file; A storage module (13) for storing a backup file of the backup module (12); And a follow-up processing module (14) for outputting a query window for the follow-up of the process to the output means of the network terminal (CO), terminating the process of the program requesting the designated function according to the input signal, An access control module (15) for encrypting and decrypting the storage module (13) so as to block access to the storage module (13); A threshold value setting of the checking module 11, at least one selected from a designated function of the backup module 12, a designated extension and a designated file, and a backup capacity setting of the storage module 13 are adjusted and set And a security setting module 16.

As described above, the security device 10 of the present embodiment can securely protect a target file requiring protection from malicious codes such as RANCAMWARE, without updating the security device or the like, and can provide flexible security Processing is possible.

The security device 10 according to the present embodiment described above will be described in more detail while explaining a security method corresponding to the random software.

FIG. 2 is a flowchart sequentially illustrating an exemplary embodiment of a security method according to the present invention. FIG. 3 schematically illustrates an example of a process of confirming a file change to a user through a query window in a security method according to the present invention. A drawing, which is a drawing, will be described with reference to this.

S10; Process Verification Steps

The checking module 11 checks the function requested to the OS 20 (hereinafter referred to as 'request function') and the extension of the target file in the process. A program execution process or an operating process of the OS 20 requests a large number of functions to the OS 20. Among these functions, a file is deleted, a file extension is modified, a file data is modified, (Hereinafter referred to as a " change function "). In general, Ransomware blocks the user from accessing the file by changing the original file by making use of the change function, which makes it difficult for the user to use the file. Therefore, the checking module 11 checks the request function requested to the OS 20 and the extension of the target file in the process.

In the present embodiment, the checking module 11 checks the target file extension of the request function as well, but can check only the request function. For reference, the security method of this embodiment can confirm only the extension of the target file, only the file change only function, or both the request function and the extension of the target file, in order to protect the specific file from the riskware.

S21, 22; The request function validation and backup step (S20)

The backup module 12 of the present embodiment confirms whether the request function identified by the checking module 11 is a designated function that is one or more of the modification functions and if the request function is determined to be a designated function, And stores the corresponding backup file in the storage module 13. [ For reference, since the backup of the target file is performed prior to the execution of the function of the OS 20, the data of the target file to be backed up retains the original.

In addition, the backup module 12 of the present embodiment confirms whether the target file extension of the request function identified by the checking module 11 is the designated extension, and if it is confirmed that the extension of the target file is the designated extension, And stores the backup file in the storage module 13. As described above, since the backup of the target file is performed prior to the execution of the function of the OS 20, the data of the target file to be backed up retains the original.

On the other hand, the storage module 13 may be a virtual disk for performing the encryption and decryption processing, and the description thereof will be repeated below.

S31, 32; The change function process interruption step (S30)

If the backup size of the backup module 12 is found to exceed the time-to-threshold value, the checking module 11 interrupts the execution process of the request function and stops the process of changing the target file.

As described above, when the checking module 11 confirms a designation function request in which an arbitrary process makes the designated extension file as a target file in the OS 12, the backup module 12 backs up all of the target files. However, since the Raman software changes a large number of protection target files stored in the network terminal CO at a time, the checking module 11 confirms that the target file to be backed up by the backup module 12 is many. As a result, the amount of temporary backup of the backup module 12 with respect to time is inevitably large.

The backup module 12 checks the amount of backup and, if the set threshold value is exceeded, regards it as a process of Ransomware and stops the process.

On the other hand, when the checking module 11 confirms that the backup size of the backup module 12 does not exceed the threshold value, it regards the process as a legitimate process and continues the subsequent process.

S40; Query step

The follow-up processing module 14 outputs a query window for the process follow-up to the output means of the network terminal (CO), terminates the process of the program requesting the change function according to the input signal, and restores the target file.

When the process interruption process module 14 confirms the process interruption performed by the checking module 11, it checks the program and the target file requesting the designated function from the checking module 11 and, as shown in FIG. 3 (a) , And outputs a query window in which the program name and the target file name are respectively posted to the output means of the network terminal (CO).

In this query window, "HANCOAM" tries to rename the '.doc' file. Initiates the change, and waits for the user's answer. On the other hand, the checking module 11 waits for the user's answer and stops the process of the program requesting the designated function. In this case, only one file name to be changed is started in the inquiry window. However, in the case of unauthorized change due to the use of the random software, a plurality of target file names can be changed. In the query window, a plurality of target files to be a target can be output as a list.

In the case of a file change by a user's selection, a window of a program that executes the file is output to the output means. If the file change is not the user's selection, the window of the program irrelevant to the desktop or the file is output . Thus, the present embodiment shows a query window output to an output means on which a web page is output.

Subsequently, the follow-up module 14 outputs a selection button such as 'agree' or 'reject' for the user's answer, the user selects one of the selection buttons to generate an input signal for the answer, Module 14 receives the input signal and continues the next procedure.

S50; Process end step

The follow-up processing module 14 terminates the process of changing the target file in response to the input signal for denial of continuation, and further terminates the program. Also, considering the change of the target file, the backup file stored in the storage module 13 is restored. The restoration of the backup file may be performed after the target file is deleted, the target file may be overwritten, or the backup file may be restored to a different name while maintaining the target file.

The query window shown in FIG. 3 (b) is a query window that is output when the user rejects the continuation of the process and is clicked on the 'reject' button in the previous query window. To confirm the termination of the process. Also, the present embodiment may terminate the generation program of the process to be ended, and may output a selection button for confirming the program to the user. For reference, the program check can be performed through the 'program installation / removal' menu operated by the OS 20. [

S60; Process follow-up step

The follow-up processing module 14 releases the interruption of the process via the checking module 11 in response to the input signal for the follow-up agreement and continues execution of the change function.

As shown in FIG. 3 (c), the follow-up processing module 14 posts the change of the target file in the confirmation window and inquires the changed file to confirm the changed target file. You may. When the user clicks the 'Accept' button, the continuation processing module 14 executes the executable program of the * .doc extension and outputs 'camp.doc' changed from 'soft.doc'.

FIG. 4 is a flow chart illustrating another embodiment of the security method according to the present invention. Referring to FIG.

The security method of the present embodiment further includes a security setting step S05 for setting variable values for implementing the security device 10. [

S05; Steps to set security

The target file to be protected from Ransomware may be different for each user. To this end, the security setting module 16 outputs a manual so that the user can select a designated file or an extension or a folder. The manual selects a designated file, an extension, or a folder by a selection method such as a file name input or selection, an extension input or selection, a folder input or a selection, and the security setting module 16 selects a file, extension, Or a designated extension or designated folder. For reference, Ransomware changes the file by specific extension or folder unit. Therefore, it is preferable to set the specific extension or the specific folder to the designated extension or designation folder rather than the designation file setting of the specific file only. However, in the claims below, files, extensions, and folders are collectively referred to as files.

In addition, the security setting module 16 sets a threshold value of the backup module 12. [ The user enters a threshold value into the manual output by the security setting module 16 and finally sets a threshold value for comparison with the backup amount of the target file performed by the backup module 12. [

In addition, the security setting module 16 sets the backup capacity of the storage module 13. The user inputs the backup capacity into the manual output by the security setting module 16, and sets the storage capacity of the storage module 13. [ For reference, the storage module 13 automatically deletes the previous backup file so as to continuously store the subsequent backup file at the limited backup capacity.

Subsequently, the security device 10 of the present embodiment further includes an access control module 15 that secures the storage module 13 so that the storage module 13 safely stores the backup file of the backup module 12 .

The access control module 15 encrypts and decrypts the storage module 13.

More specifically, the access control module 15 decrypts the encrypted storage module 13 when the backup module 12 generates the backup file and stores it in the storage module 13 in the backup step S20. So that the backup file is stored. When the backup file is stored, the storage module 13 is encrypted again to securely process the backup file. Here, the encryption and decryption of the access control module 15 with respect to the storage module 13 is not performed except for the backup file storage. If the storage module 13 needs to decrypt the data, the decryption is performed using a separate management program .

While the present invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (5)

A checking process of checking the request function and a target file of the process by the checking module;
A backup step of comparing the request function with a designated function, and when the request function is confirmed as a designated function, backing up the target file and storing the backup file in the storage module;
Wherein the checking module compares a backup amount of the backup module with a threshold value, and stops the process when the backup amount exceeds a threshold value;
A query step of confirming an execution program and a target file of a process suspended by the follow-up process module in the checking module, and outputting a query window in which the execution program name and the target file name are started; And
A process of terminating the interrupted process or terminating both the process and the program when the follow-up process module receives an input signal for rejecting the process follow-up, and restoring the backup file of the storage module after the interrupt process module finishes the process End step;
The security method corresponding to the random software.
delete The method according to claim 1,
The backup step further comprises the step of the access control module decrypting the encrypted storage module so that the backup module stores the backup file in the storage module and the access control module encrypting the storage module when the backup file is stored in the storage module that;
And a security method corresponding to the random software.
The method according to claim 1,
A process follow-up step of, when the follow-up processing module receives the input signal for the process follow-up, releasing the interruption of the process through the checking module and continuing execution of the change function;
Further comprising the steps of:
5. The method of claim 4,
Wherein the step of continuing the process comprises the steps of: outputting the result of the change of the following process to the query window of the follow-up process module;
Further comprising the steps of:
KR1020150176971A 2015-12-11 2015-12-11 Securing method for protecting the ransomware KR101768082B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150176971A KR101768082B1 (en) 2015-12-11 2015-12-11 Securing method for protecting the ransomware

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150176971A KR101768082B1 (en) 2015-12-11 2015-12-11 Securing method for protecting the ransomware

Publications (2)

Publication Number Publication Date
KR20170069584A KR20170069584A (en) 2017-06-21
KR101768082B1 true KR101768082B1 (en) 2017-08-14

Family

ID=59282139

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150176971A KR101768082B1 (en) 2015-12-11 2015-12-11 Securing method for protecting the ransomware

Country Status (1)

Country Link
KR (1) KR101768082B1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20190074840A (en) 2017-12-20 2019-06-28 단국대학교 산학협력단 System and Method for Preventing Ransomware using File System Journaling
KR101889841B1 (en) 2018-02-20 2018-08-21 (주)지란지교시큐리티 Content firewall for security of multimedia file, security system of content and recording medium
KR20210001057A (en) 2019-06-26 2021-01-06 주식회사 엠시큐어 Method for detecting and blocking ransomware
KR102262679B1 (en) 2019-09-03 2021-06-09 (주)지란지교시큐리티 System and method for security of multimedia file and computer-readable recording medium
KR102343406B1 (en) * 2020-05-06 2021-12-24 원유준 Apparatus and computer program for protecting data files
KR102262688B1 (en) 2020-10-29 2021-06-09 (주)지란지교시큐리티 Recording medium
KR102262680B1 (en) 2020-10-29 2021-06-09 (주)지란지교시큐리티 Multimedia file security method and recording medium
KR102320387B1 (en) 2020-11-16 2021-11-03 (주)지란지교시큐리티 Computing apparatus for multimedia file security, multimedia file security method and recording medium
KR102303930B1 (en) 2020-11-26 2021-09-24 (주)지란지교시큐리티 System for multimedia file security, multimedia file security method and recording medium
KR102412298B1 (en) 2021-12-28 2022-06-23 (주)지란지교시큐리티 System for multimedia file security, operating method thereof and recording medium

Also Published As

Publication number Publication date
KR20170069584A (en) 2017-06-21

Similar Documents

Publication Publication Date Title
KR101768082B1 (en) Securing method for protecting the ransomware
EP3855330A1 (en) Protection and recovery of backup storage systems from ransomware attacks
EP3479280B1 (en) Ransomware protection for cloud file storage
US10289845B2 (en) Protecting backup files from malware
RU2617631C2 (en) Method for detection working malicious software runned from client, on server
EP3132373B1 (en) Systems and methods for security management of multi-client based distributed storage
US20170324755A1 (en) Method and System for Mitigating the Effects of Ransomware
US9633214B2 (en) Self-removal of enterprise app data
US8776236B2 (en) System and method for providing storage device-based advanced persistent threat (APT) protection
WO2015050620A2 (en) Method and system for backing up and restoring a virtual file system
US11601281B2 (en) Managing user profiles securely in a user environment
US20180026986A1 (en) Data loss prevention system and data loss prevention method
CN114546582A (en) Licensing for backup-related operations
CN114556869A (en) Key management for encrypted data
KR20130093775A (en) Apparatus, method, terminal and system for recovery protection of system files
US8108935B1 (en) Methods and systems for protecting active copies of data
US9990493B2 (en) Data processing system security device and security method
KR101429131B1 (en) Device and method for securing system
RU2622630C2 (en) System and method of modified data recovery
CN109145599B (en) Protection method for malicious viruses
JP2017204173A (en) Data protection program, data protection method, and data protection system
US10503898B2 (en) Method for defending against malware
JP4801777B2 (en) Authentication processing system, authentication processing method, and program
KR20230009343A (en) File server data protection method and apparatus capable of changing file or file attribute according to file event occurrence of file server
JP2019135577A (en) Control program, control method, and information processing device

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant